Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 1 | |
| 2 | include /etc/nginx/mime.types; |
| 3 | charset utf-8; |
| 4 | override_charset on; |
| 5 | |
| 6 | ssl_protocols TLSv1.2 TLSv1.3; |
| 7 | ssl_prefer_server_ciphers on; |
| 8 | ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; |
| 9 | ssl_ecdh_curve X25519:X448:secp384r1:secp256k1; |
| 10 | ssl_session_cache shared:SSL:50m; |
| 11 | ssl_session_timeout 1d; |
| 12 | ssl_session_tickets off; |
| 13 | |
| 14 | add_header Strict-Transport-Security "max-age=15768000;"; |
| 15 | add_header X-Content-Type-Options nosniff; |
| 16 | add_header X-XSS-Protection "1; mode=block"; |
| 17 | add_header X-Robots-Tag none; |
| 18 | add_header X-Download-Options noopen; |
| 19 | add_header X-Frame-Options "SAMEORIGIN" always; |
| 20 | add_header X-Permitted-Cross-Domain-Policies none; |
| 21 | add_header Referrer-Policy strict-origin; |
| 22 | |
| 23 | index index.php index.html; |
| 24 | |
| 25 | client_max_body_size 0; |
| 26 | |
| 27 | gzip on; |
| 28 | gzip_disable "msie6"; |
| 29 | |
| 30 | gzip_vary on; |
| 31 | gzip_proxied off; |
| 32 | gzip_comp_level 6; |
| 33 | gzip_buffers 16 8k; |
| 34 | gzip_http_version 1.1; |
| 35 | gzip_min_length 256; |
| 36 | gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon; |
| 37 | |
| 38 | location ~ ^/(fonts|js|css|img)/ { |
| 39 | expires max; |
| 40 | add_header Cache-Control public; |
| 41 | } |
| 42 | |
| 43 | error_log /var/log/nginx/error.log; |
| 44 | access_log /var/log/nginx/access.log; |
| 45 | fastcgi_hide_header X-Powered-By; |
| 46 | absolute_redirect off; |
| 47 | root /web; |
| 48 | |
| 49 | location / { |
| 50 | try_files $uri $uri/ @strip-ext; |
| 51 | } |
| 52 | |
| 53 | location /qhandler { |
| 54 | rewrite ^/qhandler/(.*)/(.*) /qhandler.php?action=$1&hash=$2; |
| 55 | } |
| 56 | |
| 57 | location /edit { |
| 58 | rewrite ^/edit/(.*)/(.*) /edit.php?$1=$2; |
| 59 | } |
| 60 | |
| 61 | location @strip-ext { |
| 62 | rewrite ^(.*)$ $1.php last; |
| 63 | } |
| 64 | |
| 65 | location ~ ^/api/v1/(.*)$ { |
| 66 | try_files $uri $uri/ /json_api.php?query=$1; |
| 67 | } |
| 68 | |
| 69 | location ^~ /.well-known/acme-challenge/ { |
| 70 | allow all; |
| 71 | default_type "text/plain"; |
| 72 | } |
| 73 | |
| 74 | # If behind reverse proxy, forwards the correct IP |
| 75 | set_real_ip_from 10.0.0.0/8; |
| 76 | set_real_ip_from 172.16.0.0/12; |
| 77 | set_real_ip_from 192.168.0.0/16; |
| 78 | set_real_ip_from fc00::/7; |
| 79 | real_ip_header X-Forwarded-For; |
| 80 | real_ip_recursive on; |
| 81 | |
| 82 | rewrite ^/.well-known/caldav$ /SOGo/dav/ permanent; |
| 83 | rewrite ^/.well-known/carddav$ /SOGo/dav/ permanent; |
| 84 | |
| 85 | location ^~ /principals { |
| 86 | return 301 /SOGo/dav; |
| 87 | } |
| 88 | |
| 89 | location ~ \.php$ { |
| 90 | try_files $uri =404; |
| 91 | fastcgi_split_path_info ^(.+\.php)(/.+)$; |
| 92 | fastcgi_pass phpfpm:9002; |
| 93 | fastcgi_index index.php; |
| 94 | include /etc/nginx/fastcgi_params; |
| 95 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
| 96 | fastcgi_param PATH_INFO $fastcgi_path_info; |
| 97 | fastcgi_read_timeout 3600; |
| 98 | fastcgi_send_timeout 3600; |
| 99 | } |
| 100 | |
| 101 | location /rspamd/ { |
| 102 | location /rspamd/auth { |
| 103 | # proxy_pass is not inherited |
| 104 | proxy_pass http://rspamd:11334/auth; |
| 105 | proxy_intercept_errors on; |
| 106 | proxy_set_header Host $http_host; |
| 107 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 108 | proxy_set_header X-Real-IP $remote_addr; |
| 109 | proxy_redirect off; |
| 110 | error_page 403 /_rspamderror.php; |
| 111 | } |
| 112 | proxy_pass http://rspamd:11334/; |
| 113 | proxy_set_header Host $http_host; |
| 114 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 115 | proxy_set_header X-Real-IP $remote_addr; |
| 116 | proxy_redirect off; |
| 117 | } |
| 118 | |
| 119 | location ~* ^/Autodiscover/Autodiscover.xml { |
| 120 | fastcgi_split_path_info ^(.+\.php)(/.+)$; |
| 121 | fastcgi_pass phpfpm:9002; |
| 122 | include /etc/nginx/fastcgi_params; |
| 123 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
| 124 | try_files /autodiscover.php =404; |
| 125 | } |
| 126 | |
| 127 | location ~* ^/Autodiscover/Autodiscover.json { |
| 128 | fastcgi_split_path_info ^(.+\.php)(/.+)$; |
| 129 | fastcgi_pass phpfpm:9002; |
| 130 | include /etc/nginx/fastcgi_params; |
| 131 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
| 132 | try_files /autodiscover-json.php =404; |
| 133 | } |
| 134 | |
| 135 | location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml { |
| 136 | fastcgi_split_path_info ^(.+\.php)(/.+)$; |
| 137 | fastcgi_pass phpfpm:9002; |
| 138 | include /etc/nginx/fastcgi_params; |
| 139 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
| 140 | try_files /autoconfig.php =404; |
| 141 | } |
| 142 | |
| 143 | # auth_request endpoint if ALLOW_ADMIN_EMAIL_LOGIN is set |
| 144 | location /sogo-auth-verify { |
| 145 | internal; |
| 146 | proxy_set_header X-Original-URI $request_uri; |
| 147 | proxy_set_header X-Real-IP $remote_addr; |
| 148 | proxy_set_header Host $http_host; |
| 149 | proxy_set_header Content-Length ""; |
| 150 | proxy_pass http://127.0.0.1:65510/sogo-auth; |
| 151 | proxy_pass_request_body off; |
| 152 | } |
| 153 | |
| 154 | location ^~ /Microsoft-Server-ActiveSync { |
| 155 | include /etc/nginx/conf.d/sogo_proxy_auth.active; |
| 156 | include /etc/nginx/conf.d/sogo_eas.active; |
| 157 | proxy_connect_timeout 75; |
| 158 | proxy_send_timeout 3600; |
| 159 | proxy_read_timeout 3600; |
| 160 | proxy_buffers 64 256k; |
| 161 | proxy_set_header X-Real-IP $remote_addr; |
| 162 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 163 | proxy_set_header Host $http_host; |
| 164 | client_body_buffer_size 512k; |
| 165 | client_max_body_size 0; |
| 166 | } |
| 167 | |
| 168 | location ^~ /SOGo { |
| 169 | include /etc/nginx/conf.d/sogo_proxy_auth.active; |
| 170 | include /etc/nginx/conf.d/sogo.active; |
| 171 | proxy_set_header X-Real-IP $remote_addr; |
| 172 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 173 | proxy_set_header Host $http_host; |
| 174 | proxy_set_header x-webobjects-server-protocol HTTP/1.0; |
| 175 | proxy_set_header x-webobjects-remote-host $remote_addr; |
| 176 | proxy_set_header x-webobjects-server-name $server_name; |
| 177 | proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host; |
| 178 | proxy_set_header x-webobjects-server-port $server_port; |
| 179 | proxy_send_timeout 3600; |
| 180 | proxy_read_timeout 3600; |
| 181 | client_body_buffer_size 128k; |
| 182 | client_max_body_size 0; |
| 183 | break; |
| 184 | } |
| 185 | |
| 186 | location ~* /sogo$ { |
| 187 | return 301 $client_req_scheme://$http_host/SOGo; |
| 188 | } |
| 189 | |
| 190 | location /SOGo.woa/WebServerResources/ { |
| 191 | alias /usr/lib/GNUstep/SOGo/WebServerResources/; |
| 192 | } |
| 193 | |
| 194 | location /.woa/WebServerResources/ { |
| 195 | alias /usr/lib/GNUstep/SOGo/WebServerResources/; |
| 196 | } |
| 197 | |
| 198 | location /SOGo/WebServerResources/ { |
| 199 | alias /usr/lib/GNUstep/SOGo/WebServerResources/; |
| 200 | } |
| 201 | |
| 202 | location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) { |
| 203 | alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; |
| 204 | } |
| 205 | |
| 206 | include /etc/nginx/conf.d/site.*.custom; |
| 207 | |
| 208 | error_page 502 @awaitingupstream; |
| 209 | |
| 210 | location @awaitingupstream { |
| 211 | rewrite ^(.*)$ /_status.502.html break; |
| 212 | } |
| 213 | |
| 214 | location ~ ^/cache/(.*)$ { |
| 215 | try_files $uri $uri/ /resource.php?file=$1; |
| 216 | } |